We need a way to parse a rsa certificate request and return the public
key and subject names. The new function X509reqtoRSApub() works the
same way as X509toRSApub() but on a certificate request.
We also need to support certificates that are valid for multiple domain
names (as tlshand does not support certificate selection). For this
reason, a comma separated list is returned as the certificate subject,
making it symmetric to X509rsareq() handling.
A little helper is provided with this change (auth/x5092pub) that takes
a certificate (or a certificate request when -r flag is provided) and
outputs the RSA public key in plan 9 format appended with the subject
attribute.
git/export *almost* produces output that can be
emailed with upas using
git/export $commit | mail maintainer@site.com
but, the
From: commit-id date
line that git generates trips it up. Luckily,
'git am' doesn't seem to care much if that line
is missing, so we can simply omit it with no issue.
There are a number of alphabets in common use for base32
and base64 encoding, such as url-safe encodings.
This adds support for passing a function to encode into
arbitary alphabets.
Authsrv(6) used to be called auth(6) before
the fourth edition and was preprocessed by
eqn(6) before the third edition. The mkfile
was never updated to reflect the changes.
All other files are accounted for:
% cd /sys/man
% for(i in TS EQ PS G1) echo $i `{grep -l '^\.'$i ?/[0-9a-z]*}
TS 1/tbl
EQ 1/eqn 3/usb
PS 1/pic
G1 1/grap
%
When resizing windows, vt would signal ssh by updating
the window size and sending an interrupt. Ssh reacted
by forwarding both the winch and an interrupt.
This change adds a WINCH generation counter so that
ssh can differentiate between resizes and interrupts.
If an interrupt comes in, and the WINCH generation
changes, then the interrupt is taken as signalling a
WINCH.
The change to "assignment not used" breaks symmetry with
"used and not set" and removes the reference to the
specific warning mentioned in /sys/doc/comp.ms.
Also, the patch was half-assed as that it left some typos
in like "used an not set", which this change also fixed.
We weren't correctly skipping the location operators
in codefree. This would mostly be work, but sometimes
you'd get unlucky and have one of the argmuents mismatch,
and that would lead to an invalid free.
This correctly skips the args in codefree.
Since we now store /dist/plan9front in git, the
initial assumption that the owner of the repo
is the person touching it is not always true.
This change gives us a better heuristic for the
file permissions we should have in the files we
copy around, basing it off of the permissions of
the .git directory.
When loading a file using ".", we could
end up with our line numbers thrown off
due to the mutation of lexline. Putting
lexline into the runq beside the file
that we're reading from causes it to get
pushed and popped correctly, so that we
no longer lose track of our location.
when trying to request certificates from letsencrypt,
their test api would reject our csr because of
"tuncated sequence" unless we force subectAltName
by passing multiple domains (as comma separated list).
apparently, we need to provide the context specific tag
"cont [ 0 ]" for the extensions even when we do have
any extensions for the csr (triggered when we need to
have subjectAltNames).
for this, we change mkcont() to take a Elist* instead,
which then can be nil when not used. also put the tag
number argument first, which makes it easier to read.
As checking for all zero has to be done in a timing-safe
way to avoid a side channel, it is best todo this here
instead of letting the caller deal with it.
This adds a return type of int to curve25519_dh_finish()
where returning 0 means we got a all zero shared key.
RFC7748 states:
The check for the all-zero value results from the fact
that the X25519 function produces that value if it
operates on an input corresponding to a point with small
order, where the order divides the cofactor of the curve.
1. add the curve x25519 to tls, both client and server.
it's more faster, immune to timing attacks by design,
does not require verifying if the public key is valid,
etc etc. server-side has to check if the client supports
the curve, so a new function has been introduced to parse
the client's extensions.
2. reject weak dhe primes that can be easily cracked with
the number field sieve algorithm. this avoids attacks like
logjam.
3. stop putting unix time to the first 4 bytes of client/
server random. it can allow fingerprinting, tls 1.3 doesn't
recommend it any more and there was a draft to deprecate
this behaviour earlier.[1]
4. simply prf code, remove useless cipher enums.
[1] https://datatracker.ietf.org/doc/html/draft-mathewson-no-gmtunixtime-00
term% cal -s1 2021
2021
Jan Feb Mar
M Tu W Th F Sa Su M Tu W Th F Sa Su M Tu W Th F Sa Su
1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7
4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14
11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21
18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28
25 26 27 28 29 30 31 29 30 31
…
Note how the days (i.e. ' M Tu W Th F Sa Su') for Feb and Mar
do not align with the day numbers.
This is because an extra space is left *before* adding the terminating
'\0' via the pointer `dayw`.
With the patch applied the calendar aligns nicely for the year view:
term% cal -s1 2021
2021
Jan Feb Mar
M Tu W Th F Sa Su M Tu W Th F Sa Su M Tu W Th F Sa Su
1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7
4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14
11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21
18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28
25 26 27 28 29 30 31 29 30 31
…
When switching a branch implicitly -- ie, creating a local
branch off of a remote branch -- we would get the list of
changed files before we would resolve the implicit branch
switch, leading to an empty list of changes.
All of these files appear to have been imported from sources in a
case-insensitive manner and consequently lost their original content.
- Hx, Hb, and Hi fonts should be narrow versions of Helvetica
- c[1-3] fonts should be condensed versions of Century Old Style
- the lH character should be a filled left hand symbol
- the rh character should be a stroked right hand symbol
- the rc character should be the right ceiling symbol
I've verified that these are the only files that collide with others
when ignoring case (aside from rc/bin/[Kk]ill but those are correct).
git/import expected a patch, however upas/fs serves
either a raw file without any of the mime decoding
and line joining, or a directory, with the headers
and body split out.
This makes it a pain to apply some mails.
So, here we teach git to import upas dirs natively,
making it easy to handle all patches that come in
as emails.